Recently Target announced that the credit card data breach that they suffered back in 2013 ended up costing them $162M. Now, I know some may argue that to a company like Target, that number is a drop in the bucket, and you’re right. But there is a lesson to be learned from this. Companies must realize that no security infrastructure is 100% fool proof, not the multi-billion dollar corporations, not the mom and pop shops in your local neighborhood, not the start-ups in Silicon Valley. But why?

This is the question that millions of people (maybe even yourself) are trying to wrap their heads around. Yes, your company has a dedicated security team, and has invested in security infrastructure, using technologies like SIEM solutions and products that provide “visibility.” Yet your SSN and employee information still ends up in the hands of cyber criminals!

If there is only one thing that you take away from this blog, understand this. Having security in place doesn’t mean you are somehow bulletproof and exempt from breaches. There’s no hacker guide that says “Leave X company alone. They’ve got cool security.” The increased number of cloud applications like Box, Office 365 and Salesforce, coupled with the rise in BYOD at work has allowed more data to flow outside the corporate firewall. Data is now EVERYWHERE, not just your company’s corporate network. Your IT security team must first realize this, accept it and then solve for it. Not the easiest thing to do.

Hackers Use The Goat PathsWhen King Leonidas and the 300 Spartans took on the Persian army at the Hot Gates, they believed that they could hold their ground due to the mountain’s impenetrable walls. What they failed to consider was that an old goat path that Greek shepherds often used to cut through the mountains could also be found and used by the Persian army. The Persians found the goat path and were able to surround the 300 Spartans, and defeat them. Why the random story?

Since companies want to benefit from the cloud’s flexibility and the productivity of BYOD, they have to also build ways of allowing their employees to reach their corporate data (goat paths). This simultanously gives hackers a bigger attack surface to work with. In the past they relied mostly on malware since data was kept inside corporate networks. Now, since data has moved outside, they can also use techniques like Phishing attacks to steal employee credentials, and then use them to access company data. Since employees often have more access to sensitive data than they actually need, companies end up placing their data at risk.

This means that the same goat paths that company employees use to access sensitive company data can now also be used by hackers. All they need is employee credentials.

Security teams must keep these goat paths in mind.

Adopt the “Assume Mentality”Companies must now assume that a breach is on its way and that’s its only a matter of time until they experience one. Instead of denying its possibility make sure you prepare your IT security teammates, as well as your employees, for the inevitable.

Start building a security infrastructure designed with the goal of limiting the damage of a breach once it occurs instead of getting your hopes up on preventing them altogether.

Breaches are not preventable. But they are discoverable. Learn about Breach Discovery, a new solution that will help you limit the damage of breaches.

Between frequent headlines on data breaches and the growth of Shadow IT, it is easy to be captivated with what people are saying, blogging, and tweeting about the state of cloud adoption and security. But the fact is – it’s hard to separate the hype from the truth, and stories about security are often rich in speculation or exaggeration.

The sixth installment of our quarterly Cloud Adoption and Risk (CAR) Report presents a hard data-based analysis of enterprise cloud usage. With cloud usage data from over 15 million enterprise employees and 350 enterprises spanning all major verticals, this report is the industry’s most comprehensive and authoritative source of information on how employees are using cloud services. And, with a full year of usage statistics, this latest edition of the report is the industry’s most comprehensive to date.

You can download the full report here. In addition to popular recurring features such as the Top 20 Enterprise Cloud Services and the Ten Fastest-Growing Applications, the latest report contains several eye-opening findings. View the slideshow below for more highlights from the report.

The average company had 897 cloud services in use in Q4, up from 626 in Q4 last year. This growth was lopsided across categories. Development services (e.g. GitHub, SourceForce, etc.) experienced the largest rate of growth at 97%. The second fastest-growing category is collaboration (e.g. Microsoft Office 365, Gmail, etc.), which grew 53% despite already having a high number of services in use.

The Number of CSPs with Enterprise Security Capabilities Doubled

The number of cloud service providers investing in key security capabilities more than doubled in 2014. Specifically, 1,082 (11% of all services) now encrypt data at rest versus 470 in Q4 2013, 1,459 (17%) offer multi-factor authentication versus 705 in Q4 2013, and 533 (5%) hold ISO 27001 certification versus 188 in Q4 2013. At the same time, over 89% of the cloud services lack basic security capabilities required by enterprises.

Over One Third of Employees Upload Sensitive Data to File Sharing Services

Analyzing the use of file sharing and collaboration services revealed that 11% of documents were shared with business partners outside the company. Of externally shared documents, 9% contained sensitive data. Even more concerning was the fact that 18% of external collaboration requests went to third party email addresses (e.g. Gmail, Hotmail, and Yahoo! Mail).

92% of Companies Have Compromised Credentials

The vast majority of companies have users with at least one stolen credential, and the average company had 12% of users affected. The most exposed industries are Real Estate, High Tech, and Utilities, while the least exposed are Government and Healthcare. With 31% of passwords reused across websites and applications, stolen login credentials pose significant risk to corporate data.

By Sekhar Sarukkai, Co-Founder and VP of Engineering, Skyhigh Networks

The year is still young, and we’ve already witnessed a breach of potentially historic proportions. Anthem Inc, the nation’s second largest health insurer, released a statement last week announcing the breach of a database with 80 million customer records. Anthem estimated the number of stolen accounts at “tens of millions,” which would be the largest healthcare breach to date. For comparison, hacks at Target and Home Depot exposed 70 million and 56 million records, respectively. In this case, the records contain sensitive customer data including names, birthdays, addresses, and social security numbers. Fortunately the company reported no medical or financial information was stolen.

Let’s run through the mechanics of the attack based on available information. The source of the breach was a compromised login credential. The attackers initially ran a database query using a system administrator’s credentials. They then uploaded the hacked data to a cloud storage service. Anthem declined to name the service but did mention it is commonly used in US companies. This last fact may have made the exfiltration more difficult to detect. The average company uses 37 different file sharing services, which include a mix of enterprise ready services such as Box and high-risk services such as 4shared.

Anthem Only the Tip of the Iceberg

The circumstance through which hackers gained entrance into Anthem’s system is not rare; in fact it is the norm. User login credentials are sold on the Darknet by professional cybercriminals. Skyhigh’s analysis of cloud usage data of over 15 million enterprise employees across 350 enterprises indicates that 92% of companies have users with compromised credentials. On average, 12% of users are affected. In other words, over one in ten enterprise users have their credentials for sale on the Darknet. With 31% of passwords reused according to a study by Joseph Bonneau, stolen login credentials pose a huge liability for enterprise security.

Avoiding “The Big One”

To start, companies should enforce two-factor authentication to reduce the likelihood that a stolen credential alone is sufficient to gain access to a mission-critical system. Security should also put in place role-based access control for corporate systems so that no single credential has unfettered access to all data. With the prevalence of stolen credentials available to attackers, these are critical steps in preventing a breach of this scale.

There are two parts to this story, however. Security teams would be wise to guard the way out as well as the way in. In this case and in an increasingly high number of instances, attackers used a cloud service to exfiltrate data. The cloud is a easy path for removing data from the corporate environment because many organizations lack visibility into the flow of traffic to cloud services. This points to the need for security intelligence systems that provide visibility into cloud usage and identify anomalous behavior. With this technology in place, alerts for anomalous behavior can not only identify external threats, but they can also protect against insider threats.

As in the vast majority of cases, no single misstep or shortcoming led to this breach. There are clear steps companies can take to lower the likelihood of suffering from a similar attack and to minimize the damage in the event hackers do gain access to corporate systems. Anthem’s breach should serve as a wakeup call to all enterprises.

“Healthcare orgs oh how we love you so, with your data so un secured no wonder we give it a go. SSNs, birthdays and addresses information galore, we can’t wait until next year when we steal some more.”

This is the song that healthcare data thieves must be singing every time they gain entry into the database of healthcare organizations across the globe. This week we learned of the giant Anthem breach that may have affected over 80 million customers and what may be the largest healthcare breach in history. For those of you who aren’t familiar with Anthem, they are the second largest insurance provider in the USA. Ironic how an insurer tasked with protecting their customer’s health and wellness couldn’t secure their data. The information stolen? SSNs, employee names, birthdays, addresses, email addresses and employment information.

The breach was discovered on Jan 27th and began on Dec 10th. The breach was the result of cyber criminals gaining access (no one is sure as to how exactly but guessing lost mobile devices or phishing attack) to an un-encrypted database that allowed them to then exfiltrate data. Now, to give Anthem some credit, 6 weeks actually isn’t too terrible given the fact that the average breach today lasts for about 229 days! But the failure to encrypt sensitive data stored at rest in their database is certainly an epic fail. By now, encryption or at least solid plans to begin encrypting should be a best practice for any company holding sensitive data.

“You essentially have the keys to the kingdom to commit any type of identity theft.” – Paul Stephens, director of policy and advocacy at Private Rights Clearinghouse, San Diego, CA

Although no medical information and credit card data was stolen, the information obtained is still more than enough for cyber criminals to cash in on (think about all of the use cases for SSNs alone). Employer information was also stolen so who knows what the residual effects will be for the employers as well. They themselves may find themselves at risk of hackers using employee credentials to gain access to protected databases. And just so you know, this wasn’t the first time that Anthem has caught some heat. Back in 2013 they were asked to pay a fine of $1.7 million bucks to resolve the exposure of PHI data from over 614,000 people online due to weak security.

5 Tips for Improving Healthcare Security From Bitglass

It’s quite simple actually. Healthcare organizations must first see security as an urgent matter and realize that customer trust is not a given, but is a privilege. Unfortunately breaches like Anthem serve as a reminder of the lack of data security in healthcare organizations. In addition to database encryption, here are 5 tips we have devised for securing data within healthcare institutions:

Establish comprehensive IT visibility and control over all data transactions

Control the flow of all information

Track and protect sensitive data anywhere it travels to

Deploy a Single Sign-On solution for increased password security

Make sure the security solution is easy to deploy and easy to use

We hope the victims of the Anthem breach are unaffected and hope that healthcare organizations take action before it’s too late for them.

When Henry Ford’s Model T was introduced to the world in 1908, with a list price of $850, it revolutionized transportation for the masses at the time. What many folks don’t know is that it had absolutely no mirrors attached to it. Early drivers had no visibility into who or what was behind or beside them. In fact, the only way for drivers to see what was around them was to completely turn their head. It wasn’t until in 1920 when mirrors were available for an extra charge. I’m sure some of you are thinking “I still turn and look over my shoulder.”

Today, the newest generation of cars now has an indicator (red dot or car symbol) on their side mirrors that blinks when someone is in your blind spot. We have all seen the TV ads showcasing this. This blind spot awareness is crucial because changing lanes without any visibility into who is already in that lane places you and your passengers at risk of an accident.

The same concept applies to data security. Companies are changing lanes, moving to cloud applications and BYOD infrastructures. Because of this, there are blind spots that exist in security infrastructures that need to be filled. Some of these blind spots include: what sensitive data is travelling outside of the firewall, where data is travelling to, and who is accessing this data. Without this visibility companies are blind to all potentially risky applications and sources.

Historically, traditional security vendors and IT teams have focused the majority of their energy on the prevention of breaches, and because of this were not innovating in areas of post breach security. This is why many existing security solutions are no longer viable, because what happens when a breach does occur? If you really think about it, products like SIEM and MDM solutions are deployed today because they were the best technologies around when they were first created. They worked well for some time, and like all things have become outdated.

Companies must adapt to a very new cloud and mobile world. Which is by no means an easy feat. Instead of the traditional 80% of energy spent on the prevention of breaches, security teams must become more well-rounded. Prevention, dwell time reduction and advanced security are equally important today as breaches are now a fact of life. Visibility plays a massive role in achieving them.

Since data security is everyone’s job, it’s up to you, the employee to empower your company’s data security with visibility, so your company doesn’t have to be worried and unsure when changing lanes into cloud and BYOD.

To learn how to gain true visibility be sure to save your seat for our webinar on February 11th. We’ll discuss how to limit the damage of data breaches with our new product Breach Discovery.

Despite investments in security, breaches are still occurring at an alarming rate. Whether the result of the world’s nefarious cyber criminals sending phishing or malware attacks through company emails, or insiders simply misusing sensitive data. Given the speed of which cyber criminals are able to pivot and create new security threats, companies must change their approach to security. We now live in a world where the prevention of breaches has become too difficult. The proliferation of data outside the firewall via mobile devices i.e company laptops, personal smart phones has created an attack surface too large for company IT security teams to guard.

Criminals are no longer going for the quick win, they’re stealthily slipping through firewalls, nestling in deep within your infrastructure, and are slowly exfiltrating data through company firewalls into remote servers (they own). This often takes place for months until the criminals are finally ousted, or have gathered enough data to go off and sell in the black market, or ransom off to the victim.

Visibility into what data is being exfiltrated is crucial in limiting damage from breaches. Now, before you start thinking about your SIEM solution that sends you 17,000 alerts a week or the “visibility” company that only tells you what apps are currently running on your network (there are so many “Shadow IT” visibility companies out there but Shadow IT only represents 4% of breaches) I want to explain what I mean by visibility. Visibility is the awareness of what data is leaving your network, and tells you what the riskiest sources are, in a way that prioritizes alerts for you. It provides actionable intelligence so that you can quickly identify areas of risk, and at the end of it whether or not you are experiencing a breach.

Lessons from “The Boy Who Cried Wolf”

We all know the story of the boy who cried wolf. A small boy, who is tasked with protecting his family’s sheep, jokingly yells “wolf, wolf!” multiple times, causing the townspeople to come running with their pitchforks and torches to aid him in fighting off the wolf. When the wolf actually comes, and the boy yells “wolf wolf” again, no one comes. The boy is then eaten.

This is the problem today. Companies are relying too much on their SIEM solutions. These solutions create WAY too many meaningless alerts per day. No IT team can manage 17,000 alerts per week, and definitely doesn’t want to. SIEM solutions cry “wolf wolf” so often that IT teams no longer view them as a real threat. This is actually what happened in the Target breach. Alerts were recieved, but were not treated as true breach threats.

IT security must be able to limit the damage caused by breaches. In order to do so they need a solution that can provide them with actionable intelligence. They need to be able to identify the risky sources within their infrastructure so they can protect their data from the wolves trying to gobble up their sensitive data.

“Encryption is the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties.” – TechTarget

Encryption has gotten some much-needed attention over the past few weeks. With the release of a secret US security report unveiling the importance of encryption and how in 2009 private computers were vulnerable to attacks from cyber criminal gangs operating in Russia and China, plus David Cameron’s anti-encryption angle that he hopes to use to influence Obama, the topic is certainly worthy of discussion.

I know some of you may be looking at “2009” and thinking “Chris, it’s 2015 get with it” but the fact is, encryption is even more valuable and necessary than ever. Since 2009, cloud app usage (think Salesforce) and BYOD has expanded significantly. 60% of organizations now utilize cloud apps. Since data now resides outside of corporate firewalls, companies need ways of encrypting their data, making sure that the growing number of cyber-criminal gangs in Russia and China don’t get their hands on it. But what’s the truth about encryption? And how do you know if it truly is as strong as you might think?

The Truth

Encryption has two main components. The first part is the Cipher. This is the piece that transforms human readable text to something unreadable (ciphertext). It’s the piece you probably think of the most i.e turning “Chris” into “WxoPNHz.” The second piece (the piece often overlooked) is called the Initialization Vector. This piece is an unpredictable random number that ensures that encrypting the same message repeatedly will yield different ciphertexts each time. To ensure sufficient randomness, the length of the Initialization Vector should be the same number of bits as the cipher.

To clarify, a lot of vendors promote AES-256 bit encryption, I am sure a lot of you are reading this now and saying “yes, this is exactly what my vendor says they provide” (think of the biggest vendors in the encryption space, I promise that by the end of this blog you’ll have some questions for them). For the less encryption inclined, AES-256 bit encryption is the de facto standard for strong encryption in the enterprise. It implies that there are billions of combinations that can be made for each piece of plain text (regular name, credit card number, SSN etc.) and that the chance of cyber criminals breaking the encryption is close to impossible. Which would be true, if it were actually what some of the world’s biggest encryption vendors provided. But, unfortunately, there’s a good chance that your cloud encryption vendor has you duped.

Remember how I mentioned before that the initialization vectors were crucial? In order to make data searchable once encrypted and placed in the cloud (think Salesforce encryption), vendors have actually begun cutting down on the number of initialization vectors used in their products. This means that instead of the billions of combinations companies think they are purchasing, they are actually only getting 1 million in some cases. This is a HUGE difference! 1 million combinations is insanely less secure than multiple billions of combinations. Put differently, that 256 bit encryption turns into 20 bits. And at 20 bits, you might as well keep your money in your pocket because it’s just as useful as having no encryption at all.

So that’s the truth. Don’t be fooled by vendors claiming to have true AES-256 bit encryption. Yes their cipher will be on point, but it’s the initialization vectors that are also crucial. Limiting the number of these vectors to preserve cloud app operations like search changes your 256 bit super encryption, into a puny 20 bit encryption. Reach out to your encryption vendor now and ask them about their vectors, and don’t be surprised if you hear something you don’t like.

Security and Skills Gap Hold Back Cloud Projects While Shadow IT Grows

By Cameron Coles, Sr. Product Marketing Manager, Skyhigh

A recent Cloud Security Alliance & Skyhigh survey shows that while security and skills gaps remain significant barriers to corporate-sanctioned cloud projects, end users are pushing IT departments to provide more cloud applications, faster than ever. The survey of 212 IT and security professionals looked at the state of cloud adoption – both sanctioned and shadow IT – and asked respondents how their organizations approach security, spending on cloud versus on-premise technology, and governance of data. The results show that while 33% of companies have a “full steam ahead” attitude toward cloud adoption, security concerns continue to hold back formal cloud projects. And, the concern about security has reached well beyond IT to the executive suite and boardroom.

The top barrier to cloud projects continues to be the security of data, with 73% of respondents indicating it was holding back cloud projects. Another significant barrier is a lack of knowledge and experience on the part of IT and business managers. This cloud skills gap held back cloud projects for 37% of companies in Europe and 29% of companies in the Americas. One explanation is that IT personnel are also focused on maintaining legacy on-premise infrastructure, and don’t have room to invest in the skills and resources needed for the cloud era.

Of course, employees are adopting cloud services unknown to IT and are not necessarily worried about the security of company data. Skyhigh’s Cloud Adoption and Risk Report shows that the scope of shadow IT can be 10 times greater than what IT is aware of. For most companies today, shadow IT is unknown and unmanaged. The overwhelming majority of respondents – 72 percent – said they did not know the scope of shadow IT at their companies but wanted to know. At companies with more than 5,000 employees the number grows to 80 percent. That makes free offerings like Skyhigh’s Cloud Audit that discover all cloud apps in use across an organization and provide a risk assessment of these apps so valuable.

Perhaps due to the flood of recent high-profile data breaches, including the attack on Target that led to a 46 percent drop in the company’s quarterly profit and the resignation of it CIO and CEO, the security of company data has spread far beyond the IT department. Cloud security is now an executive-level and board-level concern for 61% of companies. That interest is driving increased oversight over how companies govern their data that will ultimately benefit everyone, although in the short term it means IT teams are looking for help with presenting their company’s security posture in terms that make sense to non-technical board members.

Despite, or perhaps because of, barriers to cloud projects, rank and file employees are taking an active role advocating for the cloud apps and devices they’ve come to expect in their personal lives. Among IT professionals, 79% receive requests for new cloud apps each month from end users. Highlighting the disconnect between sober IT departments and eager employees, 49% of IT professionals said they had felt pressured to approve an app they felt did not meet the company’s security requirements. The most requested categories of services include File Sharing and Collaboration (e.g. Box, Dropbox, Google Docs, OneDrive) followed by Communication (e.g. HipChat, Skype, WebEx, Yammer), and Social Media (e.g. Facebook LinkedIn, Twitter).

One of the most surprising findings is that companies that are best positioned to adopt the cloud securely – because they have more mature governance programs – are, somewhat paradoxically, slower to adopt the cloud. Companies with more than 5,000 employees are more likely to have a cloud governance committee (34.8% versus 12.0%), have a policy on acceptable cloud usage (60.9% versus 44.8%), and have a security awareness training program (26.1% versus 20.3%) compared to companies with fewer than 5,000 employees. However, only 36.2% of them spend more than 20% of the IT budget on cloud services, compared with 49.0% of companies with fewer than 5,000 employees.

When it comes to enforcing these cloud policies, such as which employees are allowed to access what cloud services and where sensitive data can be uploaded, companies across the board prefer to use their firewall and proxy infrastructure versus rolling out device agents to employee devices. For all companies, 65% prefer to use their firewalls and 63% prefer to use their proxy. For companies with more than 5,000 employees, a whopping 95% of companies prefer to use their firewall or proxy versus leveraging device agents.

We are excited to announce the release of the January Netskope Cloud Report today. In it, we have our standard stuff – the latest cloud adoption numbers (this quarter, we report an average of 613 cloud apps per enterprise), as well as observed aggregate activities in our Active Platform, including which activities (such as “edit,” “share,” and “download”) constitute the highest number of policy violations and across what app categories.

Every quarter we focus more deploy on an area of cloud security, and this quarter we reveal early findings from research we have been conducting around compromised account credentials. We have noticed that a growing number of enterprise cloud users are logging into their cloud apps using login names and passwords that have been stolen as part of a data hack or exposure. Based on our research, we estimate that 15 percent of users have had their account credentials compromised.

Given that many people (as many as half, or even more in some reports) reuse their passwords for multiple accounts, and a high number of your enterprise users log into your popular cloud-based apps like Salesforce, Box, Dropbox, Concur, and WebEx, chances are your most business-critical apps are being accessed with compromised credentials. Even if you’re diligent about protecting those apps, you may not be able to detect the access.

There’s another related risk: While conscientious IT professionals have taken steps to protect their sanctioned corporate apps, many haven’t done anything to protect unsanctioned, departmental apps, some of which are highly used and important to the business. Based on our aggregated, anonymized data, we estimate that at least 13.5 percent of organizations’ apps are at the intersection of unsanctioned and business-critical. Those apps are usually not protected by single sign-on, nor is multi-factor authentication enforced in them, and they are at risk of being accessed by users with compromised credentials.

We are excited to announce the availability of “Cloud Security for Dummies,” a book that my co-founders and fellow chief architects and I collaborated on based on our interactions with the most forward-thinking CIOs, CISOs, and cloud architects from around the globe and virtually every industry. In the book, we compile the best recommendations and advice from this group of experts.

The book is full of advice ranging from how to think about cloud compliance to implementing a cloud policy to getting users on board with cloud security. Below is a summary of our must-haves for ensuring a safe transition to the cloud.

Discover apps. Discover the apps in your environment and assess their risk — both inherent and in the context of how they’re used.

Segment apps. Segment your apps by whether they’re sanctioned (managed by IT) or unsanctioned (brought in by departments or by individual users).

Secure access. Secure access to your sanctioned and ideally unsanctioned business apps, with single sign-on (SSO).

Enforce granular policies. Define granular policies that are enforceable in real-time, across both sanctioned and unsanctioned apps, regardless of whether users are on-network or remote, and whether in a web-based or native cloud app.

Protect data in context. Have a data protection strategy. For highly sensitive content that can’t be in the cloud at all, define policies that prevent it from being uploaded to any cloud app. For the next tier of content that can reside in the cloud, apply the appropriate level of security policy. This may include encrypting data before it reaches the cloud and/or limiting sharing options based on device, instance, or location.

Coach users. Coach users both through conversations and in an automated way. Let them know when they’ve done something that’s out of compliance (ideally in real-time, as the action is occurring), whether you block them, let them report a false positive, or let them bypass the policy with a justification.

You can get your complimentary copy of the book here. We hope you find it useful as you consider your safe cloud enablement strategy.